2006-11-30 13:00:47 +00:00
|
|
|
/*
|
|
|
|
* This is a model of a version of the TLS protocol as modeled in
|
|
|
|
* Boyd, Mathuria "Protocols for Authentication and key establishment"
|
|
|
|
*
|
|
|
|
* It's a very simplified form.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* below is just Scyther input and no further macro definitions */
|
|
|
|
|
|
|
|
const pk,hash: Function;
|
|
|
|
secret sk,unhash: Function;
|
|
|
|
inversekeys(pk,sk);
|
|
|
|
inversekeys(hash,unhash);
|
|
|
|
|
|
|
|
const Alice, Bob, Eve: Agent;
|
|
|
|
const Terence: Agent;
|
|
|
|
|
|
|
|
protocol tls-bm-1(A,B)
|
|
|
|
{
|
|
|
|
role A
|
|
|
|
{
|
2012-05-02 22:01:08 +01:00
|
|
|
fresh na: Nonce;
|
|
|
|
fresh pmk: Nonce;
|
2006-11-30 13:00:47 +00:00
|
|
|
var nb: Nonce;
|
|
|
|
|
|
|
|
send_1( A,B, na );
|
|
|
|
read_2( B,A, nb );
|
|
|
|
send_3( A,B, { pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A),{ hash(na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A)) }hash(pmk,na,nb) );
|
|
|
|
read_4( B,A, { na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A),{ hash(na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A)) }hash(pmk,na,nb) }hash(pmk,na,nb) );
|
|
|
|
|
|
|
|
claim_A1( A, Secret, hash(pmk,na,nb) );
|
|
|
|
claim_A2( A, Nisynch );
|
|
|
|
}
|
|
|
|
|
|
|
|
role B
|
|
|
|
{
|
|
|
|
var na: Nonce;
|
|
|
|
var pmk: Nonce;
|
2012-05-02 22:01:08 +01:00
|
|
|
fresh nb: Nonce;
|
2006-11-30 13:00:47 +00:00
|
|
|
|
|
|
|
read_1( A,B, na );
|
|
|
|
send_2( B,A, nb );
|
|
|
|
read_3( A,B, { pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A),{ hash(na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A)) }hash(pmk,na,nb) );
|
|
|
|
send_4( B,A, { na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A),{ hash(na,nb,{ pmk }pk(B),{ hash(na,nb,{ pmk }pk(B)) }sk(A)) }hash(pmk,na,nb) }hash(pmk,na,nb) );
|
|
|
|
|
|
|
|
claim_B1( B, Secret, hash(pmk,na,nb) );
|
|
|
|
claim_B2( B, Nisynch );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|